Group Policy Links Backup and Restore functions
Updated on 2/20/2014:
restore-gplink function was updated to incorporate cases that were not included at first.
===================================
Hi
A few months back, I put together a function that allowed me to collect the GPLinks information on targeted OUs and sites.
In the post it was also explained how you could run that function on an OU structure to create a global GPlink backup file.
Only I recently thought that I would be more useful to be able to target a GPO and backup the location of where it is linked.
And of course once you have the backup you will want to be able to restore it.
Dependencies:
Those new functions (at least the backup one) will need you to use the “get-gplink” function I have created.
The main reason is the format that I have used to export information on the status of the links.
As you can see, I return the values as “yes” and “no”.
Using the get-gpinheritance it returns “True” and “False”
The problem is that the cmdlet “new-gplink” or “set-gplink” , when it comes to the switches, expects a value of “yes” and “no”
So because I do not want to have to manipulate those ouputs, I simply use my function.
By the way, this was why I set the output of my function to use “yes” and “no” from the start.
Backup-gplink function
The best way I know of getting where a GPO is linked (besides using GPMC) is to look at a GPO report.
With Powershell you can get that report with a simple line:
What we are interested in is the “links” part of the report as it contains the information we are looking for. Be careful as it only includes the links of the GPO in its own domain.
Now HTML is fine for viewing but not for parsing.
We can change the output of the get-gpreport to export in xml and we can even load that output into a variable.
The [xml] at the beginning of the line is to declare the type of the variable $xml. Basically we have declared that the content of the variable is in xml format.
Now what can we do with that variable… Well navigate its content of course.
We now have a format that we can manipulate and we have almost all the information we need, we are only missing the link order… and that is a shame.
That is where we need to use the get-gpink to collect that information.
So out of that report I am only interested in the SOMPath that will contain all the locations where the GPO is linked.
Once you have registered the functions by “dotnetting” the script I have provide, you will be able to use the function “Backup-gplink”.
The function has two parameters:
Gponame: the name of the GPO you want to backup the gplinks
path: path to where you want to save the backup file. (in this example the variable $pwd indicate the location of my prompt “C:\Users\Administrator\Documents” )
The output is a simple csv file, name <gponame>_gplinksbackup.csv that you can later see and manipulate.
Restore-gplink
Once you have that backup, you might want to use it to restore a gpo gplinks.
That function is very simple and has only one input and a switch
It will consume the content of the CSV file and use either the cmdlet “new-gplink” to link the GPO to the location where they were previously linked or if already linked “set-gplink” to re-apply
the configuration that was in the backup (in case it was changed).
So you have your GPO linked:
After an error (human or else..) the links are gone:
Run the above command
The links will be restored but with a disabled state. The idea is to prevent restoring a GPO link that would impact the production.
You will manually have to enable the link again to make it effective.
The script will change the link order from the one in the backup if there is not the same number of links on the SOM or if the retsored gplink is the only one and add an order different then 1 in the backup.
If the GPO is still linked at the same location the script will not by default, chnage tha value of the link
However if you want to force the values that are in the backup file, you can use the -force switch:
Backupgpofull
Here is a quick and dirty way of planning a daily backup of your GPOs with their GPLinks. This script will remove content that is older than a day and do a backup of the GPO
and the GPOs Links.
get-childitem -Path $pwd\bck | where-object {$_.LastAccessTime -le (get-date).adddays(-1)} |foreach { Remove-Item -Path $pwd\bck\$_ -force -Recurse}
get-gpo -all | foreach {
Backup-GPO -name $_.displayname -Path $pwd\bck
backup-gplink -gponame $_.displayname -path $pwd\bck
}
Restoregpofull
Based on that output you could use the following code to restore your backup and their gplinks
$directories=Get-ChildItem -Path $pwd\bck -Directory
$files=Get-ChildItem -Path $pwd\bck -File
foreach ($d in $directories)
{
Restore-GPO -BackupId $d.name -Path $pwd\bck
}
foreach ($f in $files)
{
restore-gplink -path $pwd\bck\$($f.Name)
As usual hope you find this useful in your daily work and please give we feedback on this.
Script can be found here
Comments
- Anonymous
February 19, 2014
Good stuff. We (SDM Software) used to have a GPO backup management product that, among other things, backed up and restored GP links. One problem, which I don't see you have addressed here, but you may want to think about, is what happens when you restore a link with a link order, and the overall link list has changed (i.e. some GPO links have been removed or added since the backup of the links was last made). This is a problem we had to deal with and in the end decided that if we could not restore the link order (i.e. we were restoring to link position 2 but there was only one GPO left on the SOM) then we would punt and restore to the last position (i.e. lowest priority). This ensured that we didn't accidentally restore a GPO to a number one position when we didn't want it there. Hope that helps. - Anonymous
February 20, 2014
Thanks for your input Darren. I'm working on your suggestions to take those cases into account. - Anonymous
February 26, 2016
Hey Thomas, excellent article. Very useful. Thanks a lot!!
I used it to help a customer and I'd like to provide a feedback.
I had to change the function Restore-GPLink.
In the New-GPLink code, you are using the GPO DisplayName to restore the GPO Link. It was causing some errors due to special characters in the GPO Display Name. I changed it to use the GPO GUID instead of the GPO Displayname.